Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN tap can connect to all LAN except the firewall itself

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 783 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      amarshall
      last edited by

      I’ve mostly followed this guide to setup a tap-based OpenVPN server on pfSense 2.3.2, and my client can connect okay, gets an IP address on the LAN, and can connect to all devices on the LAN, as well as ping pfSense, but it cannot connect to other services on the pfSense box (e.g. SSH, HTTPS, DNS). There are no entries in the firewall log indicating that anything was blocked, and adding any/any rules to the LAN, TAP, BRIDGE interfaces has no effect. Nothing particularly interesting looking in any other logs, either.

      What could I be missing that would cause this scenario?

      1 Reply Last reply Reply Quote 0
      • C Offline
        coffeecup25
        last edited by

        I have both tap and tun servers. I used tap until I found out tun could do most of the same things if configured properly. My tap guide was similar to the one you linked to. If you can get to the lan (for example in file explorer \my_file_server) then you should be able to get to the router. Try 192.168.1.1 from a browser window.

        I have two tun servers. 1 is for private browsing only over public wifi. It uses a auto logon file for convenience. The 2nd uses 2 passwords and a different user id. In both cases, the certs must match the user id.  The user id is not obvious because I renamed files in the config directory. The idea for the 2nd one is that the lan should be harder to get to just in case.

        tap is more full service but tun does the job and is easier to set up.

        the lan oriented tun server config is the same except for a couple of settings on the main server page. I used the wizard because it provides all the detail work automatically.

        Edit: the tap guide I used. It worked.

        https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/

        for tun:

        Uncheck redirect gateway
        Enter the local network into the box
        recheck redirect gateway

        (this allows you to access the lan and route through the home network)

        check enable netbios over tcp/ip

        For node type I have p - I'm not quite sure what it does but things worked better with this setting.

        I also added dns servers and checked force dns cache update

        accessing lan resources differs a little too. With tap it's \my_file_server in file explorer. With tun it's \192.168.1.156 for example. At least for me.

        one big difference is that tap will not work with android without the google play app which allows it. The cost is about $10. It works great.

        remote desktop over the local lan works perfectly with both tap and tun.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.